I've had this issue for a couple of months, and I can't seem to get it resolved.

I have a couple of file servers in my domain. If I try to browse the shares on FS1 from a computer using the local Administrator account, it always prompts me to log in with domain credentials. If I try to browse the shares on FS2 using the local Administrator account, it enumerates the shares without prompting for domain credentials.

Why is FS2 allowing me to enumerate shares using a local Administrator account? It almost as if it's acting like it's in a workgroup and not a domain.

Sounds to me that either the Share permissions or file security is set to Domain Users or Authenticated Users on FS1. Most likely the share permissions are set to this. As a test, add Everyone to the share permissions and see if that takes care of it. Then you will know where the issue is.

Are the Share permissions the same? These are different from NTFS permissions. Does FS2 allow "Everyone" access to the shares while FS1 does not?

I do actually have a similar problem with the shares as well. I believe thought that both issues have the same cause. FS2 is treating any "Administrator" account on any machine as if it were the local administrator on the server itself. This is normal behavior in a workgroup, but not in a domain. FS1 works correctly, prompting for credentials when anyone tries to access it, including local Administrator accounts.

The problem I was explaining in my original post was enumerating the shares, for example by typing "\\FS1" or "\\FS2" in the Run prompt from the Start menu. When I'm logged on as the local Administrator on any machine on the network (domain or not) "\\FS1" prompts me for credentials, while "\\FS2" enumerates the available shares on the server without prompting at all.

If I try to enumerate the shares on either server using any other local account, I get prompted by both servers.

Sounds to me that either the Share permissions or file security is set to Domain Users or Authenticated Users on FS1. Most likely the share permissions are set to this. As a test, add Everyone to the share permissions and see if that takes care of it. Then you will know where the issue is.

Actually what I want is for both server to prompt for domain credentials. I've checked FS2 to make sure that none of the shares have Everyone access. Although I'm not able to browse the shares, I'm able to enumerate them. And again, this only happens when I'm using the local "Administrator" account on the workstations.

Intially, my reaction is the everyone group is allowed on some level, but you state otherwise. I would say then to look at all levels of share and ntfs permissions for a share on FS1 and FS2 and compare them. Look for differences. This is the easiest first step. If you have done this already and don't see anything different, check for a local policy setting that may be the culprit.

From MS's description:
"Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables this feature."

Intially, my reaction is the everyone group is allowed on some level, but you state otherwise. I would say then to look at all levels of share and ntfs permissions for a share on FS1 and FS2 and compare them. Look for differences. This is the easiest first step. If you have done this already and don't see anything different, check for a local policy setting that may be the culprit.

Hope this helps.

I've checked the shares. The share and folder permission are locked down pretty good. No "Everyone", "Users" or "Authecticated User" permission to any of those folders/shares.

I've also compared the policies side-by-side and mirrored them and I still have the issue.

Audun wrote:

Just a longshot here - could it be that Access Based Enumeration is enabled on FS1, but not on FS2? I haven't used it myself though, so I wouldn't know how it's supposed to behave.

From MS's description:
"Windows Server 2003 Access-based Enumeration makes visible only those files or folders that the user has the rights to access. When Access-based Enumeration is enabled, Windows will not display files or folders that the user does not have the rights to access. This download provides a GUI and a CLI that enables this feature."

Thanks Audun. That's actually good to know. But again, it's not the folders I'm having problems with. It's the enumeration of the shares. And it's only using the local Administrator account.

in the fs2 you have a local account with the same name and password than in the workstation? and in fs1 don't have it or is disabled?

if i'm not wrong if you try to access from a workstation logued with a local account to a share and in the server are a local account with the same username and password, or a AD user the same way you can access with this privileges.

that's a good point actually - if you try to access a network resource windows automatically tries to use your current credentials (otherwise you would be prompted for a password every time you accessed a network drive etc) but as well as this it must use your account's unique security ID (SID) to determine if you have access to that resource. With the local Administrator account though, the SID is the same on all machines so I'm guessing if you also have the same password for the local admin account on this file server then it would automatically log you on to it without a problem.

So I guess as a test you can try changing the local admin password on one of your workstations to something random and then try access that server (after logging off and back on) or maybe if you have a standard server local admin password that is different to the standard workstation local admin password (which I would hope you have) then just try resetting this file server's password to that as I'm guessing it is possible that someone accidently could have set the server up with the workstation local admin password.

The first thing that comes to my mind is the local admin account you are using and the domain admin account have matching passwords. Create a local user on one of your workstations that has a unique name and try to access it again.

The first thing that comes to my mind is the local admin account you are using and the domain admin account have matching passwords.

If that was the case then surely it would affect the other server as well. Also wouldnt that be a bit of a security issue if a local admin account with the same password as the domain admin account suddenly had access to everything that the domain admin account does. I think it must just be the local admin passwords on the PCs matches the local admin password on that one server.

in the fs2 you have a local account with the same name and password than in the workstation? and in fs1 don't have it or is disabled?

if i'm not wrong if you try to access from a workstation logued with a local account to a share and in the server are a local account with the same username and password, or a AD user the same way you can access with this privileges.

I was thinking something similar originally. However, the passwords for local Administrator account for workstations and servers are different. I'll keep looking. Thanks everyone for the input.

well yeah Im sure that is the plan, but have you actually confirmed it for this server? Just try it, try resetting the local admin password on that file server to what you think it should be (ie your standard server local admin password) and then see if you still have the same problem.

0

This discussion has been inactive for over a year.

You may get a better answer to your question by starting a new discussion.